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DETAILED ACTION 

1 . This Office Action is in response to the Applicant's argument filed on April 27, 
2009. 

2. Claims 1-17 are pending. 

Response to Amendment 

3. The Declaration filed on 4/27/09 under 37 CFR 1 .131 is sufficient to overcome 
the Christodorescu reference. 

Response to Arguments 

4. Applicant's arguments filed on 4/27/09 have been considered but are moot in 
view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the phor art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

1 . Claims 1-3 and 6-10 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Nachenberg U.S. Patent Number 6,357,008 in view of Nachenberg US 6,851 ,057 
(hereinafter Nachenberg '057) and in view of Schmall et al. (hereinafter Schmall) US 
7,069,589. 
As per claim 1 : 
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Nachenberg teaches a computer program for identifying malicious portions in a 
suspect computer program comprising: 

a preprocessor portion for receiving the suspect computer program and creating 
a logically equivalent standardized version of the suspect program; (col. 5, lines 27-39; 
col. 6, line 53-col. 7, line 22) 

a library of standardized malicious code portions; (col. 7, line 23-col. 8, line 31; 
col. 9, lines 26-65) and 

a detector portion reviewing the standardized version against the library of 
malicious code portions to provide an output indicating when a malicious code portion is 
present in the suspect program, (col. 9, line 66-col. 10, line 10; col. 15, line 38-col. Col. 
16, line 63) 

Nachenberg does not explicitly disclose creating a logically equivalent 
standardized version of the suspect program without executing the suspect program. 
Nachenberg '057 in analogous art, however, discloses creating a logically equivalent 
standardized version of the suspect program, (col. 3, lines 1-67; col. 4, line 51-67; col. 
8, line 5-col. 9, line 14) Therefore it would have been obvious to one ordinary skill in the 
art at the time the invention was made to modify the method disclosed by Nachenberg 
with Nachenberg '057 in order to prevent a virus from modifying the destination of an 
existing JMP or CALL instruction anywhere in the file to point the location of viral code 
elsewhere in the file. (col. 5, lines 58-64; Nachenberg '057) 

Both references do not explicitly disclose a preprocessor creating standardized 
version without executing the suspect program. Schmall in analogous art, however. 
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discloses creating standardized version witliout executing tlie suspect program, (col. 8, 

lines 7-42) Therefore it would have been obvious to one ordinary skill in the art at the 

time the invention was made to modify the method disclosed by Nachenberg and 

Nachenberg '057 with Schmall in order to in order to detect a virus that copies itself 

differently by changing the order of code execution the virus, (col. 2, lines 47-54; 

Schmall) 

As per claim 2: 

The combination of Nachenberg, Nachenberg '057 and Schmall teaches all the 
subject matter as discussed above. In addition, Nachenberg further teaches wherein the 
standardized version identifies the execution order of instructions of the suspect 
program and wherein the detector portion reviews the instructions of the standardized 
version according to the execution order, (col. 2, line 38-col. 4, line 65; col. 7, line 23- 
col. 8, line 31 ; col. 9, line 26- col. 10, line 10; col. 15, line 38-col. Col. 16, line 63) 
As per claim 3: 

The combination of Nachenberg, Nachenberg '057 and Schmall teaches all the 
subject matter as discussed above. In addition, Nachenberg teaches wherein the 

preprocessor identifies the execution order of the instructions by generation of a control- 
flow listing of the instructions, (col. 2, line 38-col. 4, line 65; col. 9, lines 26-67) 
As per claim 6: 

The combination of Nachenberg, Nachenberg '057 and Schmall teaches all the 
subject matter as discussed above. In addition, Nachenberg further teaches wherein the 
standardized version removes irrelevant portions of the suspect program, (col. 13, line 
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42-col. 15, line 37) 

As per claim 7: 

The combination of Nachenberg, Nachenberg '057 and Schmall teaches all the 
subject matter as discussed above. In addition, Nachenberg teaches wherein the 

preprocessor removes irrelevant portions by identifying irrelevant portions to the 
detector so that the detector ignores identified irrelevant portions when reviewing the 
standardized version, (col. 13, line 42-col. 15, line 37) 
As per claim 8: 

The combination of Nachenberg, Nachenberg '057 and Schmall teaches all the 
subject matter as discussed above. In addition, Nachenberg teaches wherein the 
irrelevant portions are one or more nop instructions, (col. 13, line 42-col. 15, line 37) 
As per claim 9: 

The combination of Nachenberg, Nachenberg '057 and Schmall teaches all the 
subject matter as discussed above. In addition, Nachenberg teaches wherein the 
standardized version uses uninterpreted variables, (col. 13, line 42-col. 15, line 37) 
As per claim 10: 

The combination of Nachenberg, Nachenberg '057 and Schmall teaches all the 
subject matter as discussed above. In addition, Nachenberg teaches wherein the 
suspect program is a binary executable and wherein the preprocessor receives the 
binary executable to generate a listing of instructions and data values, (col. 13, line 42- 
col. 15, line 37) 
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2. Claims 4-5, 11 and 14-17 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Nachenberg U.S. Patent Number 6,357,008 in view of Nachenberg 
US 6,851 ,057 (hereinafter Nachenberg '057) in view of Schmall et al. (hereinafter 
Schmall) US 7,069,589 and further in view of Ho et al. (hereinafter Ho) U.S. Patent 
Number 7,188,369. 
As per claims 4 and 14: 

The combination of Nachenberg, Nachenberg '057 and Schmall teaches all the 
subject matter as discussed above. None of the references explicitly disclose wherein 
the standardized version maps instructions of the suspect program to corresponding 
standard synonym instructions. Ho in analogous art, however, discloses wherein the 
standardized version maps instructions of the suspect program to corresponding 
standard synonym instructions, (col. 5, lines 25-col. 6, line 40) Therefore it would have 
been obvious to one ordinary skill in the art at the time the invention was made to 
modify the method disclosed by Nachenberg, Nachenberg '057 and Schmall with Ho in 
order to receive external instructions and for execution and perform their respective 
antivirus functionalities, (col. 6, lines 18-21; Ho) 
As per claims 5 and 15: 

The combination of Nachenberg, Nachenberg '057, Schmall and Ho teaches all 
the subject matter as discussed above. In addition. Ho further teaches wherein the 
standard synonym instructions are different in number from the instructions of the 
suspect program to which the synonym instructions map. (col. 5, lines 25-col. 6, line 40) 
As per claims 11 and 16: 
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The combination of Nachenberg, Nachenberg '057 and Schmall teaches all the 
subject matter as discussed above. None of the references explicitly disclose including 
a library of patterns matching to one or more instructions of the suspect program and 
wherein the preprocessor creates the standardized version by replacing instructions of 
the suspect program with matching ones of the library of patterns and wherein the 
library of standardized malicious code portions are also collections of ones of the library 
of patterns, (col. 5, lines 25-col. 6, line 40) Therefore it would have been obvious to one 
ordinary skill in the art at the time the invention was made to modify the method 
disclosed by Nachenberg, Nachenberg '057 and Schmall with Ho in order to receive 
external instructions and for execution and perform their respective antivirus 
functionalities, (col. 6, lines 18-21; Ho) 
As per claim 17: 

The combination of Nachenberg, Nachenberg '057, Schmall and Ho teaches all 
the subject matter as discussed above. In addition, Ho further teaches wherein a pattern 
is at least one instruction logically replacing at least one different instruction in the 
suspect program, (col. 5, lines 25-col. 6, line 40) 

Allowable Subject Matter 

3. Claims 12 and 13 are objected to as being dependent upon a rejected base 
claim, but would be allowable if rewritten in independent form including all of the 
limitations of the base claim and any intervening claims. 
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Conclusion 

Any inquiry concerning this communication or earlier communications from tine 
examiner should be directed to SHEWAYE GELAGAY whose telephone number is 
(571)272-4219. The examiner can normally be reached on 8:00 am to 5:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on 571-272-3865. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



IS. Q.I 

Examiner, Art Unit 2437 
/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2437 



